[Xymon] SSL Error [SEC=UNCLASSIFIED]
David Baldwin
david.baldwin at ausport.gov.au
Thu Nov 3 05:22:41 CET 2016
Martin,
There is an option for xymonnet to enable SNI - here's my tasks.cfg
snippet - see man xymonnet
[xymonnet]
ENVFILE /home/xymon/server/etc/xymonserver-net.cfg
NEEDS xymond
CMD xymonnet --report --ping --checkresponse --bb-proxy-syntax
--sni=on --timeout=20 --sslkeysize=2048
LOGFILE $XYMONSERVERLOGS/xymonnet.log
INTERVAL 5m
> Hi Xymon community,
>
> I'm getting a bunch of SSL Error alerts on some websites.
>
> Here is one example:
>
> https://kct-uat.agriculture.vic.gov.au/
>
> If I add this to xymon, I get:
>
> Thu Nov 3 03:50:38 2016: SSL error
> red https://kct-uat.agriculture.vic.gov.au/- SSL error
>
> I did some digging through the xymon archives and openssl errors and
> found this:
>
> http://lists.xymon.com/archive/2013-January/036688.html
>
> and this:
>
> http://stackoverflow.com/questions/24457408/openssl-command-to-check-if-a-server-is-presenting-a-certificate
>
>
> so when I run this command from my Xymon server I get the 104 error:
>
> # openssl s_client -connect kct-uat.agriculture.vic.gov.au:443
> CONNECTED(00000003)
> write:errno=104
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 0 bytes and written 247 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
>
> But if I add the SNI, I get a nice connection:
>
> # openssl s_client -connect kct-uat.agriculture.vic.gov.au:443
> -servername kct-uat.agriculture.vic.gov.au
> CONNECTED(00000003)
> depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
> High Assurance EV Root CA
> verify return:1
> depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
> SHA2 High Assurance Server CA
> verify return:1
> depth=0 C = AU, ST = Victoria, L = Melbourne, O = "Department of
> Economic Development, Jobs Transport and Resources", CN =
> *.agriculture.vic.gov.au
> verify return:1
>
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : ECDHE-RSA-AES256-SHA384
> Session-ID:
> DC460000EC412D00D689C7E10DF575272E026FF475153A6367229629D79D15CF
> Session-ID-ctx:
> Master-Key:
> 0EE96C944F5746D3524A17580FD7907716FBA724C1B8909CA96430C2F7262EC469CD9CBD1D25A6ADDB791A6E45AAAB76
>
> Key-Arg : None
> Krb5 Principal: None
> PSK identity: None
> PSK identity hint: None
> Start Time: 1478145325
> Timeout : 300 (sec)
> Verify return code: 0 (ok)
>
> But now I'm not sure what to do next... Any ideas?
>
> Thanks,
>
> Martin.
>
> ---
> ********************************************************************************
> Department of Economic Development, Jobs, Transport and Resources,
> Government of
> Victoria, Victoria, Australia.
>
> This email, and any attachments, may contain privileged and confidential
> information. If you are not the intended recipient, you may not
> distribute or
> reproduce this e-mail or the attachments. If you have received this
> message in
> error, please notify us by return email.
> ********************************************************************************
>
>
> _______________________________________________
> Xymon mailing list
> Xymon at xymon.com
> http://lists.xymon.com/mailman/listinfo/xymon
--
David Baldwin - Senior Systems Administrator (Datacentres + Networks)
Digital Information Management and Technology
Australian Sports Commission http://ausport.gov.au
Tel 02 62147830 Fax 02 62141830 PO Box 176 Belconnen ACT 2616
david.baldwin at ausport.gov.au 1 Leverrier Street Bruce ACT 2617
Our Values: RESPECT + INTEGRITY + TEAMWORK + EXCELLENCE
-------------------------------------------------------------------------------------
Keep up to date with what's happening in Australian sport visit http://www.ausport.gov.au
This message is intended for the addressee named and may contain confidential and privileged information. If you are not the intended recipient please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you receive this message in error, please delete it and notify the sender.
-------------------------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20161103/3e17b502/attachment.html>
More information about the Xymon
mailing list